It’s important to state that simply offering a SIEM as a SaaS solution does not make it a next-gen SIEM. Many legacy SIEM vendors have just lifted and shifted their old, inefficient architectures to the cloud and are delivering it as a SaaS offering. Running a legacy SIEM in the cloud yields high cloud infrastructure costs that organizations must bear. Beyond cost, security teams forced to use a legacy SIEM as a SaaS solution also will have to deal with a dearth of hot, searchable data and slow search performance at scale. Not exactly a recipe for success.

A good sniff test of whether a SIEM is truly cloud-native and SaaS is to see if it is offered as an on-prem, self-hosted solution. If it is offered for on-prem operation, it is almost certainly not a next-gen SIEM. Even if you can self-manage it in your private cloud, buyer beware. Usually any self-hosted solution, even in your own managed Amazon Web Services (AWS) or another cloud environment, is not a next-gen solution because it relies on you to make sure it scales out appropriately. Like most modern, cutting-edge technologies, a next-gen SIEM is a complete SaaS offering.

So how do Splunk Cloud, Sumo Logic, and Devo compare in their cloud SIEM offerings?

• Splunk Cloud: Splunk is not a cloud-native SaaS solution. It was designed as an on-prem solution that the company later moved to the cloud. While its SaaS solution—Splunk Cloud—is growing, it is a lifted-and-shifted architecture.
• Sumo Logic: Sumo Logic is a cloud-native SaaS solution. Built on AWS, Sumo Logic was designed to live in the cloud and overcome many of the challenges of on-prem solutions.  Sumo can only be deployed in AWS, and only in certain availability zones.
• Devo: Devo is a fully managed SaaS solution born in the cloud to handle the multi-terabyte needs of today’s data age. As of this writing (June 2021), it is available in AWS. It fully supports ingesting data from multi-cloud and hybrid cloud environments.

One of the easiest ways to distinguish a legacy SIEM from a modern next-gen SIEM is to look at the differences in how they parse and store data. How a SIEM parses data is one of the most subtle yet most important factors in differentiating a legacy SIEM from a next-gen SIEM. It may seem like a technical detail, but this subtle distinction has vast implications across many aspects of the SIEM.

Splunk Architecture

Splunk uses a variety of standard ingestion methods, most of which are fairly straightforward. However, Splunk does need to index data before it can be queried or alerted on. In addition, changes in data format can negatively affect data indexing. This can cause gaps in data and break alerts until data is re-indexed. This dramatically impacts Splunk’s agility and makes changes in data format a common problem.

Splunk’s approach to storage is a common “hot, warm, cold” approach. Hot storage is typically 90 days, with additional hot storage available at a significant additional cost. Splunk uses multiple large indexes to speed up search times. As a result, its data compression ratio is not very good—usually 2:1.

Sumo Logic Architecture

Data ingestion is relatively straightforward in Sumo regardless of on-prem or cloud-based data sources. However, Sumo Logic’s field extraction rules are prone to error if the data sources or data format changes. The biggest limitation in Sumo’s ingestion architecture is the way data moves from its base product into the Cloud SIEM. Sumo acquired its SIEM product from Jask a few years ago, and it still suffers the drawbacks that often come with bolt-on solutions. Data must be ingested twice — once into Sumo’s base product, then again into the SIEM via Kafka queues. Not only does this make data significantly less real-time in the SIEM, but it also means not ALL data originally ingested makes it into the SIEM.

The Sumo Logic Cloud SIEM product has a much more rigid data structure, and not all data ingested into the Sumo base product gets sent to the SIEM. This means some fields are not available for analysis in the SIEM product, particularly for unstructured or custom data sources. Also, since the data is essentially stored in two places, it makes the storage and compression ratio very poor – leading to high costs for hot data. This is why hot, fast, searchable data is very expensive in Sumo. Sumo tries to push their customers to use AWS Glacier for data older than 60-90 days.

Enrichment means adding useful context to your data. A few common examples of enrichment would be using DNS to add machine names to IP addresses in a table, correlating usernames to people names, and geolocating IP addresses to a physical location. Enrichments are a force multiplier for SOC analysts, enabling them to make critical decisions about the nature of the data they see.

• Splunk: Splunk does not offer threat intelligence enrichments out of the box. It does offer the ability to integrate with a TIP, but that integration must be set up manually. The integration process is described in Splunk’s documentation under the section “Threat Intelligence Framework.”
• Sumo Logic: Sumo Logic offers out-of-the-box threat intelligence from Crowdstrike, but only for enterprise accounts. This means there is a premium cost associated with this functionality. Sumo also maintains an updated threat intelligence database that can correlate with log data through queries. This threat database is updated once per day and utilizes a multi-layer cache for performance, rather than going back to the database for each query.
• Devo: Devo comes integrated with the MISP threat intelligence storage platform. This is operational on day one and doesn’t require any manual setup, scripting or coding. Other threat intelligence platform integrations, including Recorded Future, also are available.

Although Splunk has the rich feature set you’d expect from a market leader, it is not a true next-gen cloud SIEM. It was designed and built to be run on prem, and its lifted-and-shifted architecture doesn’t benefit from the move to the cloud. And like many legacy vendors, Splunk wants to charge extra for every single feature, which quickly escalates cost, making it a very expensive solution. This is particularly true for storage, where the price jumps quite high if you want more than 90 days of hot, searchable data.

If your organization has predictable, low to medium ingest and search volume and is content with generic out-of-the-box content for alerts, dashboards, and threat intelligence, Sumo Logic may be a sound cloud SIEM solution for you. Sumo Logic is not a great choice if you have large ingest and search volumes, or if you need a mix of out-of-the-box AND customized content for detections, threat intelligence, dashboards and threat hunting.

Devo is not only a true next-gen cloud SIEM solution, but it offers the flexibility required by large enterprises with multiple technology stacks across multiple cloud providers. Devo’s ability to ingest data raw, with no indexing, makes it an ideal solution for customers with rapidly changing technologies. And its ability to scale out to terabytes of ingestion a day while offering 400 days of always-hot searchable storage makes it an ideal fit for very large organizations with long-term data needs. Finally, Devo’s pricing model is refreshingly simple and includes all features. You pay only for data ingested, averaged over a 30-day period.